F5 Distributed Cloud - Regional Edge Health Monitoring Insights


This article will focus on how to do a correct setup of Health Monitors and Load Balancing algorithms with F5 Distributed Cloud (F5 XC). And more specially, how it’s impacting the traffic flow between the consumer (end user browser for example) and the application provider (the Public facing Internet Website) in normal or degraded situation.



Think about your public facing website (HTTP or HTTPS). You have this Public IP and Port, exposed on the internet (from your Data Center or a Cloud Provider).

You want to add stronger security, and one of the simplest ways, is to expose this application through F5 Distributed Cloud (F5 XC).

By doing so, you benefit from multiple services: from network (DDoS) to Application level (WAAP, Brute Force, Malicious Bots, …), without changing the architecture.

With F5 XC, the application is now exposed on 23 Regional Edges (POP that aggregate high-speed connectivity, low latency, server capacity for application hosting, DDoS services, and much more).

Your application FQDN is now accessible through F5 XC Anycast IP address, spread across all those RE (Regional Edge).

23 Regional Edge locations Worldwide as of June 2023

Let’s decompose what you need at minimum

You need to configure 3 elements:

  • Health Check: to monitor your application and confirm it is accessible by simulating a normal user traffic (HTTP / HTTPS).
  • Origin Pool: it contains your Public IP and port for the application you host.
  • HTTP Load Balancer: the FQDN your end users will point to, with the certificate in case of TLS termination.
  • Optionally: you can add WAF Policy, API Protection and more


How is Health Check from the RE working ?

By default, your Health Check is coming from each RE (23 as of June 2023). It is using its own routing and Internet breakout to check the reachability of the application. You end up with a list of Origin Servers times the number of REs. On your Website, you should see IP addresses coming from those networks: https://docs.cloud.f5.com/docs/reference/network-cloud-ref

This is the reason why you see a list of Origin Server with the same exact IP (your Public IP), 23 times with a different RE (the “Site” column in the screenshot below).

Same Origin Server STATIC IP:Port, seen by each and every Regional Edge

The cool thing here, is that each and every RE is independent from the other in term of health check and is not relying on F5 Global Network. Traffic from the Regional Edge is leaving from the local presence to the Internet directly.


Can I restrict the list of REs that do the Health Check ?

By default, when you select “Public IP” in the Origin Pool member list, all the REs will check your Public IP and port. But if you select “IP Address of Origin Server on Given Sites” then you can restrict the list of REs (based on a country, a list of names, …).

Changing the default “Public IP” to “IP Address of Origin Server on given sites”

Selecting for the Public IP, a “virtual Site”

Selecting in the “virtual site” only REs that are located in France.


Now your list of Origin Server has changed from 23 to 2.

only Regional Edges from France have the state of the Origin Server

What happens if my traffic enter an RE not in this list ?

As mentioned in the introduction, the FQDN is matching an IP Anycast, exposed by default WorldWide on the 22 REs.

By default, the RE you enter, has a list of all those “Origin Server + RE” for your application.

When you created the Origin Pool for your application, the default configuration value in how a destination is selected is “Local Preferred”.

But you can select other options.


Here is quick summary of how things look depending on what you choose as “Endpoint Selection”:


State of the Origin Server on the Regional Edge

Local Endpoints ONLY

Local Endpoints Preferred

All Endpoints

Non existent or “DOWN”

Traffic is dropped as no destination can be found

As no local Endpoints are “UP”, selecting Endpoints “UP” from other REs if any (using the load balancing algorithm) – crossing F5 Global Network

As no local Endpoints are “UP”, selecting Endpoints “UP” from other REs if any (using the load balancing algorithm) – crossing F5 Global Network

Listed as “UP”

Leave directly to the destination

Leave directly to the destination

Leave directly to the destination

RE to RE when intial RE Origin Server is marked DOWN


The intent of this article is to clarify how you can control the Health Checks coming from Regional Edges, and use (or not) F5 XC Global Network to reach your application exposed on the Internet.

Of course, if you want a better control of this traffic, and even secure the transport of this traffic, you can add a Customer Edge closer to your application, on premise or in the cloud.



Related Content

Adding WAAP to your HTTP LB in F5 Distributed Cloud : https://community.f5.com/t5/technical-articles/deploy-waap-anywhere-with-f5-distributed-cloud/ta-p/313079

Published Jun 12, 2023
Version 1.0

Was this article helpful?

No CommentsBe the first to comment